Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
31/08/2024, 11:11 UTC
Static task
static1
Behavioral task
behavioral1
Sample
212068494b9a5e0238568a842da660da.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
212068494b9a5e0238568a842da660da.exe
Resource
win10v2004-20240802-en
General
-
Target
212068494b9a5e0238568a842da660da.exe
-
Size
971KB
-
MD5
212068494b9a5e0238568a842da660da
-
SHA1
880afab8133a3b62a4e1d87f94bcef846846f024
-
SHA256
6046803acf690fbb6e646be03c4a59201fe1a96b8791dd4bf8d2bc4c7eeb7d32
-
SHA512
afd63a289f8c1a5ac2b1ade03c6db1f5a6cc6efa8ddc8c33a7559c699d97df09a00cfff87d366065f39a13643efe0e37bf0049a021c4ec51e27b91f30d6dcaf1
-
SSDEEP
24576:dBrYKjLhvej6aV9b7w6tt6nWHdCgjuf+lBqA:dZLh+6ac6ttfH3KSq
Malware Config
Extracted
remcos
RemoteHost
103.161.133.245:9898
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-LN5NIY
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools 8 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral1/memory/2724-46-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/2704-52-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/2724-49-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/2724-48-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/2704-47-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/2956-54-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral1/memory/2704-59-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/2956-68-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft -
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/2956-54-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral1/memory/2956-68-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/2704-52-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral1/memory/2704-47-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral1/memory/2704-59-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts 212068494b9a5e0238568a842da660da.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2524 set thread context of 2512 2524 212068494b9a5e0238568a842da660da.exe 29 PID 2512 set thread context of 2704 2512 212068494b9a5e0238568a842da660da.exe 30 PID 2512 set thread context of 2956 2512 212068494b9a5e0238568a842da660da.exe 31 PID 2512 set thread context of 2724 2512 212068494b9a5e0238568a842da660da.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 212068494b9a5e0238568a842da660da.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 212068494b9a5e0238568a842da660da.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 212068494b9a5e0238568a842da660da.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 212068494b9a5e0238568a842da660da.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 212068494b9a5e0238568a842da660da.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2704 212068494b9a5e0238568a842da660da.exe 2704 212068494b9a5e0238568a842da660da.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 2512 212068494b9a5e0238568a842da660da.exe 2512 212068494b9a5e0238568a842da660da.exe 2512 212068494b9a5e0238568a842da660da.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2724 212068494b9a5e0238568a842da660da.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2524 wrote to memory of 2512 2524 212068494b9a5e0238568a842da660da.exe 29 PID 2524 wrote to memory of 2512 2524 212068494b9a5e0238568a842da660da.exe 29 PID 2524 wrote to memory of 2512 2524 212068494b9a5e0238568a842da660da.exe 29 PID 2524 wrote to memory of 2512 2524 212068494b9a5e0238568a842da660da.exe 29 PID 2524 wrote to memory of 2512 2524 212068494b9a5e0238568a842da660da.exe 29 PID 2524 wrote to memory of 2512 2524 212068494b9a5e0238568a842da660da.exe 29 PID 2524 wrote to memory of 2512 2524 212068494b9a5e0238568a842da660da.exe 29 PID 2524 wrote to memory of 2512 2524 212068494b9a5e0238568a842da660da.exe 29 PID 2524 wrote to memory of 2512 2524 212068494b9a5e0238568a842da660da.exe 29 PID 2524 wrote to memory of 2512 2524 212068494b9a5e0238568a842da660da.exe 29 PID 2524 wrote to memory of 2512 2524 212068494b9a5e0238568a842da660da.exe 29 PID 2524 wrote to memory of 2512 2524 212068494b9a5e0238568a842da660da.exe 29 PID 2524 wrote to memory of 2512 2524 212068494b9a5e0238568a842da660da.exe 29 PID 2512 wrote to memory of 2704 2512 212068494b9a5e0238568a842da660da.exe 30 PID 2512 wrote to memory of 2704 2512 212068494b9a5e0238568a842da660da.exe 30 PID 2512 wrote to memory of 2704 2512 212068494b9a5e0238568a842da660da.exe 30 PID 2512 wrote to memory of 2704 2512 212068494b9a5e0238568a842da660da.exe 30 PID 2512 wrote to memory of 2704 2512 212068494b9a5e0238568a842da660da.exe 30 PID 2512 wrote to memory of 2956 2512 212068494b9a5e0238568a842da660da.exe 31 PID 2512 wrote to memory of 2956 2512 212068494b9a5e0238568a842da660da.exe 31 PID 2512 wrote to memory of 2956 2512 212068494b9a5e0238568a842da660da.exe 31 PID 2512 wrote to memory of 2956 2512 212068494b9a5e0238568a842da660da.exe 31 PID 2512 wrote to memory of 2956 2512 212068494b9a5e0238568a842da660da.exe 31 PID 2512 wrote to memory of 2724 2512 212068494b9a5e0238568a842da660da.exe 32 PID 2512 wrote to memory of 2724 2512 212068494b9a5e0238568a842da660da.exe 32 PID 2512 wrote to memory of 2724 2512 212068494b9a5e0238568a842da660da.exe 32 PID 2512 wrote to memory of 2724 2512 212068494b9a5e0238568a842da660da.exe 32 PID 2512 wrote to memory of 2724 2512 212068494b9a5e0238568a842da660da.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\212068494b9a5e0238568a842da660da.exe"C:\Users\Admin\AppData\Local\Temp\212068494b9a5e0238568a842da660da.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Users\Admin\AppData\Local\Temp\212068494b9a5e0238568a842da660da.exe"C:\Users\Admin\AppData\Local\Temp\212068494b9a5e0238568a842da660da.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Users\Admin\AppData\Local\Temp\212068494b9a5e0238568a842da660da.exeC:\Users\Admin\AppData\Local\Temp\212068494b9a5e0238568a842da660da.exe /stext "C:\Users\Admin\AppData\Local\Temp\npfenuetnab"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2704
-
-
C:\Users\Admin\AppData\Local\Temp\212068494b9a5e0238568a842da660da.exeC:\Users\Admin\AppData\Local\Temp\212068494b9a5e0238568a842da660da.exe /stext "C:\Users\Admin\AppData\Local\Temp\xsswgfpubitjnz"3⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:2956
-
-
C:\Users\Admin\AppData\Local\Temp\212068494b9a5e0238568a842da660da.exeC:\Users\Admin\AppData\Local\Temp\212068494b9a5e0238568a842da660da.exe /stext "C:\Users\Admin\AppData\Local\Temp\imxphxioxqloyfhes"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
-
Network
-
Remote address:8.8.8.8:53Requestgeoplugin.netIN AResponsegeoplugin.netIN A178.237.33.50
-
Remote address:178.237.33.50:80RequestGET /json.gp HTTP/1.1
Host: geoplugin.net
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
server: Apache
content-length: 955
content-type: application/json; charset=utf-8
cache-control: public, max-age=300
access-control-allow-origin: *
-
2.5kB 771 B 11 15
-
30.7kB 510.6kB 203 372
-
623 B 2.5kB 12 4
HTTP Request
GET http://geoplugin.net/json.gpHTTP Response
200
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84